<h2>Why is this an issue?</h2>
<p>Accessing a <a href="https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/nothing">Nothing</a> value will always throw a <a
href="https://learn.microsoft.com/en-us/dotnet/api/system.nullreferenceexception">NullReferenceException</a> most likely causing an abrupt program
termination.</p>
<p>Such termination might expose sensitive information that a malicious third party could exploit to, for instance, bypass security measures.</p>
<h3>Exceptions</h3>
<p>In the following cases, the rule does not raise:</p>
<h4>Extensions Methods</h4>
<p>Calls to extension methods can still operate on <code>Nothing</code> values.</p>
<pre>
Imports System.Diagnostics.CodeAnalysis
Imports System.Runtime.CompilerServices
Imports System.Text.RegularExpressions

Module Program
    &lt;Extension&gt;
    Function RemoveVowels(Value As String) As String
        If Value Is Nothing Then
            Return Nothing
        End If
        Return Regex.Replace(Value, "[aeoui]*", "", RegexOptions.IgnoreCase)
    End Function

    Sub Main()
        Dim StrValue As String = Nothing
        Console.WriteLine(StrValue.RemoveVowels()) ' Compliant: 'RemoveVowels' is an extension method
    End Sub
End Module
</pre>
<h4>Unreachable code</h4>
<p>Unreachable code is not executed, thus <code>Nothing</code> values will never be accessed.</p>
<pre>
Public Sub Method()
    Dim o As Object = Nothing
    If False Then
        o.ToString() ' Compliant: code is unreachable
    End If
End Sub
</pre>
<h4>Validated value by analysis attributes</h4>
<p><a href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/attributes/nullable-analysis">Nullable analysis attributes</a> enable
the developer to annotate methods with information about the null-state of its arguments. Thus, potential <code>Nothing</code> values validated by one
of the following attributes will not raise:</p>
<ul>
  <li> <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute">NotNullAttribute</a> </li>
  <li> <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullwhenattribute">NotNullWhenAttribute</a> </li>
  <li> <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnattribute">DoesNotReturnAttribute</a> </li>
  <li> <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnifattribute">DoesNotReturnIfAttribute</a>
  </li>
</ul>
<p>It is important to note those attributes are only available starting .NET Core 3. As a workaround, it is possible to define those attributes
manually in a custom class:</p>
<pre>
Public NotInheritable Class NotNullAttribute ' The alternative name 'ValidatedNotNullAttribute' is also supported
    Inherits Attribute
End Class

Public Module Guard
    Public Sub CheckNotNull(Of T)(&lt;NotNull&gt; Value As T, Name As String)
        If Value Is Nothing Then Throw New ArgumentNullException(Name)
    End Sub
End Module

Public Module Utils
    Public Function Normalize(Value As String) As String
        CheckNotNull(Value, nameof(Value)) ' Will throw if 'Value' is Nothing
        Return Value.ToUpper() ' Compliant: value is known to be not Nothing here
    End Function
End Module
</pre>
<h4>Validated value by Debug.Assert</h4>
<p>A value validated with <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.debug.assert">Debug.Assert</a> to not be
<code>Nothing</code> is safe to access.</p>
<pre>
Imports System.Diagnostics

Public Sub Method(MyObject As Object)
    Debug.Assert(MyObject IsNot Nothing)
    MyObject.ToString() ' Compliant: 'MyObject' is known to be not Nothing here.
End Sub
</pre>
<h4>Validated value by IDE-specific attributes</h4>
<p>Like with null-analysis-attribute, potential <code>Nothing</code> values validated by one of the following IDE-specific attributes will not
raise</p>
<h5>Visual Studio</h5>
<ul>
  <li> <a href="https://learn.microsoft.com/en-us/dotnet/api/microsoft.validatednotnullattribute">ValidatedNotNullAttribute</a>  (The attribute is
  interpreted the same as the <a
  href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute">NotNullAttribute</a>)  </li>
</ul>
<h5>JetBrains Rider</h5>
<ul>
  <li> <a href="https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#NotNullAttribute">NotNullAttribute</a> </li>
  <li> <a href="https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#TerminatesProgramAttribute">TerminatesProgramAttribute</a> <pre>
Imports System
Imports JetBrains.Annotations

Public Class Utils
    &lt;TerminatesProgram&gt;
    Public Sub TerminateProgram()
        Environment.FailFast("A catastrophic failure has occurred.")
    End Sub

    Public Sub Method()
        Dim MyObject As Object = Nothing
        TerminateProgram()
        MyObject.ToString() ' Compliant: unreachable
    End Sub
End Class
</pre> </li>
</ul>
<h2>How to fix it</h2>
<p>To fix the issue, the access of the <code>Nothing</code> value needs to be prevented by either:</p>
<ul>
  <li> ensuring the variable has a value, or </li>
  <li> by checking if the value is not <code>Nothing</code> </li>
</ul>
<h3>Code examples</h3>
<h4>Noncompliant code example</h4>
<p>The variable <code>MyObject</code> is equal to <code>Nothing</code>, meaning it has no value:</p>
<pre data-diff-id="1" data-diff-type="noncompliant">
Public Sub Method()
    Dim MyObject As Object = Nothing
    Console.WriteLine(MyObject.ToString)   ' Noncompliant: 'MyObject' is always Nothing
End Sub
</pre>
<p>The parameter <code>Input</code> might be <code>Nothing</code> as suggested by the <code>if</code> condition:</p>
<pre data-diff-id="2" data-diff-type="noncompliant">
Public Sub Method(Input As Object)
    If Input Is Nothing Then
        ' ...
    End If
    Console.WriteLine(Input.ToString) ' Noncompliant: 'Input' might be Nothing
End Sub
</pre>
<h4>Compliant solution</h4>
<p>Ensuring the variable <code>MyObject</code> has a value resolves the issue:</p>
<pre data-diff-id="1" data-diff-type="compliant">
Public Sub Method()
    Dim MyObject As New Object
    Console.WriteLine(MyObject.ToString) ' Compliant: 'MyObject' is not Nothing
End Sub
</pre>
<p>Preventing the non-compliant code to be executed by returning early:</p>
<pre data-diff-id="2" data-diff-type="compliant">
Public Sub Method(Input As Object)
    If Input Is Nothing Then
        Return
    End If
    Console.WriteLine(Input.ToString) ' Compliant: if 'Input' is Nothing, this part is unreachable
End Sub
</pre>
<h2>Resources</h2>
<h3>Documentation</h3>
<ul>
  <li> CVE - <a href="https://cwe.mitre.org/data/definitions/476">CWE-476 - NULL Pointer Dereference</a> </li>
  <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.nullreferenceexception">NullReferenceException Class</a> </li>
  <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/attributes/nullable-analysis">Attributes for
  null-state static analysis interpreted by the C# compiler</a>
    <ul>
      <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute">NotNullAttribute
      Class</a> </li>
      <li> Microsoft Learn - <a
      href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullwhenattribute">NotNullWhenAttribute Class</a> </li>
      <li> Microsoft Learn - <a
      href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnattribute">DoesNotReturnAttribute Class</a>
      </li>
      <li> Microsoft Learn - <a
      href="https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnifattribute">DoesNotReturnIfAttribute Class</a>
      </li>
    </ul>  </li>
  <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/api/microsoft.validatednotnullattribute">ValidatedNotNullAttribute
  Class</a> in Visual Studio </li>
  <li> JetBrains Resharper - <a
  href="https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#NotNullAttribute">NotNullAttribute</a> </li>
  <li> JetBrains Resharper - <a
  href="https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#TerminatesProgramAttribute">TerminatesProgramAttribute</a>
  </li>
  <li> Microsoft Learn - <a href="https://learn.microsoft.com/en-us/dotnet/visual-basic/language-reference/nothing">Nothing keyword (Visual Basic)</a>
  </li>
</ul>

